A target of infrastructure hacks, the nation’s government has a long way to go if it’s to protect itself in the future.

It bears the brunt of many hacks that target the wider world, like the recent NotPetya attack. But it also struggles in the face of something more troubling: not once, but twice, parts of the country have been plunged into darkness as a result of hackers taking aim at its energy infrastructure.

These aren’t the kind of hacks that mean tech-savvy folks need to change their login credentials, but precursors to something far more serious: potentially devastating and life-threatening infrastructure disruptions that could leave thousands or millions of people without electricity or other utilities. As Wired recently explained, some of the attacks targeted at the Ukraine are likely to be tests by Russia as it perfects tools to use in larger-scale cyberwar.

Reading a new report from Reuters about how Ukraine is attempting to shore up its cyber defenses, it’s easy to understand why Russia might have decided to target the country. Aside from political tensions, the fact is that Ukraine’s digital infrastructure has been, to put it bluntly, a mess. From Reuters:

When the chief of Microsoft Ukraine switched jobs to work for President Petro Poroshenko [in 2014], he found that everyone in the [president's] office used the same login password … Sometimes pressing the spacebar was enough to open a PC … Most computers run on pirated software, and even when licensed programs are used, they can be years out of date and lack security patches to help keep the hackers at bay.

The report does go on to explain that, fortunately, the culture has begun to improve over the past three years. The president’s office has changed its security policies, while the government has updated software systems (though an estimated 82 percent of software in the country is unlicensed). And the nation has built out a cyberpolice team, which is funded by the U.K., while government agencies run regular simulations so that employees know how to deal with hacks when they take place.

But take place they still do. The report also says that Ukrainian government systems are on the receiving end of denial of service (DDoS) attacks once every two weeks, and officials appear to admit that they're still not doing enough to counteract the threats. In other words, there’s still a long way to go before Ukraine’s systems can shrug off the cyber onslaught that continues to head their way.